Skip to main content

Imagine a thief used your information to buy things at Kohl’s – or used your Kohl’s credit card to go on a shopping spree. You’d want to get the records to prove it and clear up your good name. The law says you’re entitled to do exactly that. That’s what the FTC’s latest settlement with Kohl’s is about.

FTC sued Kohl’s because the company was not giving records to people whose identities were stolen, as required by law. The law says that, if your identity is stolen, you can get records directly from businesses – for free. You don’t need a subpoena and you don’t have to go through law enforcement. Businesses may require you to provide proof of identity (like a driver’s license) and proof of the identity theft (like a police report and affidavit). But they must give you the records within 30 days.

The law makes it easier for people to document identity theft by getting things like receipts and credit applications. According to the FTC, Kohl’s was not following the law. Instead, Kohl’s required record requests to come from law enforcement or an attorney. To make matters worse, sometimes Kohl’s did not turn over complete records and failed to respond within 30 days.

The FTC’s settlement requires Kohl’s to certify that it gave all identity theft-related records to people who have already requested them. Going forward, Kohl’s must give business records to identity theft victims in a timely way. In addition, Kohl’s must put a notice on their website explaining how you can get copies of business records related to identity theft. And Kohl’s must pay $220,000 in penalties.

If someone stole your identity, visit IdentityTheft.gov to report it and get a personal recovery plan that walks you through the steps to take. You’ll also find a sample letter for requesting business records related to identity theft. Want to know more about what businesses has to give you? Read Identity Theft? Show me the records.

Search Terms
business
identity theft
Topics
Identity Theft and Online Security
Identity Theft

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

me
June 11, 2020
Great its about time.
Bob the guy
June 11, 2020
It's nice that the government stopped Kohl's evil behavior. But they only fined Kohl's. It seems in most if not all cases with large corporations, none of the CEO's or owners go to jail. They just get a fine which doesn't really hurt them. If an ordinary citizen pulled such an evil crime, he'd go to jail.
David
June 11, 2020
This information is good to know with so much credit card theft going on. Thank you.
AT
June 11, 2020
This means Kohl’s database was breached? When did Kohl’s customer data get breached? I don’t believe I was aware of it nor was I notified of such incident?
FTC Staff
June 12, 2020

In reply to by AT

The FTC doesn’t allege that a data breach happened at Kohl’s. The FTC says that Kohl’s didn’t provide identity theft victims, who might have been the victim of data breach somewhere else, with the information they had a right to request.

Dot
June 11, 2020
Did Kohl's notify customer's that their information was compromised?
FTC Staff
June 12, 2020

In reply to by Dot

The FTC doesn’t allege that a data breach happened at Kohl’s. The FTC says that Kohl’s didn’t provide identity theft victims, who might have been the victim of data breach somewhere else, with the information they had a right to request.

Dog Mama
June 12, 2020
This is very useful information, Will pass it along.
kkkmchris13
June 29, 2020
I checked their website (kohls.com) today, 29 June and there is nothing on there about a data breach, how to get my records or anything related. Did several searches and checked the site map. Nothing, zero, zip. It appears kohls is stonewalling you. K
FTC Staff
June 29, 2020

In reply to by kkkmchris13

The FTC doesn’t allege that a data breach happened at Kohl’s. The FTC says that Kohl’s didn’t provide identity theft victims, who might have been the victim of data breach somewhere else, with the information they had a right to request.

Return to top